Commit Graph

131 Commits

Author SHA1 Message Date
Moonchild d42beba473 Merge pull request #1502 from athenian200/nss348_solaris
Un-bust building of NSS after update to 3.48 on Solaris.
2020-03-31 11:40:05 +02:00
wolfbeast a205ee7040 Issue #1280 - Un-bust certerror pages and ForgetAboutSite 2020-03-31 09:44:30 +02:00
athenian200 389f436c15 Issue #1501 - Un-bust building of NSS after update to 3.48 on Solaris. 2020-03-30 22:54:29 -05:00
wolfbeast 0afd46b48d Issue #1280 - Part 2: Remove HPKP tests. 2020-03-28 11:02:10 +01:00
wolfbeast 55aa6ce7b3 Issue #1280 - Part 1: Remove HPKP components.
This also removes leftover plumbing for storing preload information
in SiteSecurityService since no service still uses it.
2020-03-28 01:06:56 +01:00
wolfbeast e9723a6fdb Issue #1498 - Part 6: Remove STS preloadlist pref. 2020-03-27 23:27:07 +01:00
wolfbeast 50ebd35073 Issue #1498 - Part 5: Update SSService CID and correct mismatch. 2020-03-27 16:16:43 +01:00
wolfbeast 8ea2c0d5ed Issue #1498 - Part 4: Remove clearPreloads.
Also tag #1280
2020-03-27 15:13:00 +01:00
wolfbeast 9c4aef8675 Issue #1498 - Part 3: Remove support for storing "knockout" values. 2020-03-27 15:07:34 +01:00
wolfbeast 09a229c702 Issue #1498 - Part 1: Stop persisting preload states.
Since we don't use preloading anymore for either HPKP or HSTS, we no
longer need persistent storage in the profile for preload states.
Tag #1280 also
2020-03-27 14:02:23 +01:00
wolfbeast 595c8d53df Issue #1498 - Part 1: Stop using HSTS preload lists. 2020-03-27 12:49:01 +01:00
Matt A. Tobin bc127ada3b Take nsSiteSecurityService out of UNIFIED_SOURCES
It exceeded the obj file sections limit because of the HSTS preload list so it cannot be built in UNIFIED mode.
2020-03-25 01:02:52 -04:00
wolfbeast cc9b40cc21 Issue #447 - Update HSTS preload list 2020-03-24 20:35:47 +00:00
wolfbeast 6f1d8fcce1 Issue #1467 - Part 4: Rename NSS_SQLSTORE to MOZ_SECURITY_SQLSTORE.
Rename the build config option accordingly.
2020-03-19 23:01:29 +01:00
wolfbeast 6cbe27d149 Issue #1467 - Part 3: Use UTF-8 file paths for NSS-SQL database. 2020-03-17 20:14:22 +01:00
wolfbeast 2a4827ea40 Issue #1467 - Part 1: Set up conditional NSS-SQL builds.
- Adds buildconfig option --enable-nss-sqlstore
- Prefixes NSS dbinit with either sql: or dbm: depending on config
- Pre-initializes mozStorage when NSS-SQL storage is used to prevent
  an sqlite3_config race in NSS Init
2020-03-16 13:38:19 +01:00
Matt A. Tobin 9b86872d37 Issue #1053 - Remove android support from nsNSSComponent.cpp 2020-02-28 16:51:00 -05:00
wolfbeast 33ad27614a Issue #447 - Update HSTS preload list & reduce debug spew
Commented out spewing dump() statements in loops. With the ever growing
HSTS list it takes too much time and is pointless to display.
2020-02-01 01:37:52 +00:00
Kai Engert 6d761aa68f Issue #1338 - Follow-up: Also cache the most recent PBKDF1 hash
This rewrites the caching mechanism to apply to both PBKDF1 and PBKDF2
2020-01-23 13:11:09 +01:00
wolfbeast 722161775b Issue #1338 - Bump NSS version
Our NSS version is closer to the currently-released .1, so bump version
to that.
Note: we still have some additional patches to the in-tree version in
place so this isn't a 100% match to the RTM one.
2020-01-20 11:59:36 +01:00
Kai Engert 3733205f09 Issue #1338: Follow-up: Cache the most recent PBKDF2 password hash,
to speed up repeated SDR operations.

Landed on NSS-3.48 for Bug 1606992
2020-01-14 13:08:48 +01:00
Daiki Ueno f64e760ab0 Issue #1338 - Followup: certdb: propagate trust information if trust
module is loaded afterwards,

Summary: When the builtin trust module is loaded after some temp certs
being created, these temp certs are usually not accompanied by trust
information. This causes a problem in UXP as it loads the module from a
separate thread while accessing the network cache which populates temp
certs.

This change makes it properly roll up the trust information, if a temp
cert doesn't have trust information.
2020-01-10 20:34:53 +01:00
wolfbeast 9365776219 Issue #1338 - Un-bust building of NSS after update to 3.48 on Linux. 2020-01-10 18:17:14 +01:00
wolfbeast 8198126c39 Be more consistent about decoding IP addresses in PSM. 2020-01-09 21:39:28 +01:00
wolfbeast f4a12fc676 Issue #1338 - Part 2: Update NSS to 3.48-RTM 2020-01-02 21:06:40 +01:00
wolfbeast f71108680b Issue #1118 - Part 6: Fix various tests that are no longer correct.
The behavior change of document.open() requires these tests to be
changed to account for the new spec behavior.
2019-12-22 23:48:40 +01:00
wolfbeast 2529b2edec Update NSS version. 2019-12-06 17:13:09 +01:00
Craig Disselkoen d927df43e6 [NSS] Bug 1586176 - EncryptUpdate should use maxout not block size. 2019-12-06 16:06:30 +01:00
J.C. Jones 836e72e96c [NSS] Bug 1508776 - Remove unneeded refcounting from SFTKSession
SFTKSession objects are only ever actually destroyed at PK11 session
closure, as the session is always the final holder -- and asserting
refCount == 1 shows that to be true. Because of that, NSC_CloseSession
can just call `sftk_DestroySession` directly and leave
`sftk_FreeSession` as a no-op to be removed in the future.
2019-12-06 15:36:44 +01:00
wolfbeast fcea217aac Issue #447 - Update HSTS preload list 2019-11-19 09:46:25 +00:00
wolfbeast f4cc93fc9e Issue #1289 - Part 3: Update tests. 2019-11-14 12:17:00 +01:00
wolfbeast d5a604bb89 Issue #1289 - Part 2: Clear out the preload list except for test
domains.
2019-11-14 12:16:21 +01:00
wolfbeast 0a8dff5256 Issue #1289 - Part 1: Add a pref to disable HPKP header processing. 2019-11-14 12:13:54 +01:00
wolfbeast 736d25cbec Issue #447 - Improve the getHSTSPreloadList script
- Use HEAD instead of GET for probe to avoid loading pages
- Reduce retries to 2
- Reduce timeout to 10 s (since we're just getting a HEAD this is royal)
- Identify ourselves to websites as an automated tool
- Improve performance of list merging (O(n^2) was getting too expensive)
- Add a total counter and perform GC every 200 requests
2019-11-09 13:10:23 +01:00
wolfbeast 78e8ad72f9 Issue #447 - Update HSTS preload list. 2019-11-09 11:02:21 +01:00
wolfbeast 6df8aa4953 Issue #1064 - Part 3: Fix notifyObservers() call. 2019-11-04 15:05:23 +01:00
wolfbeast 5f37447acd Issue #1064 - Part 2: Fix shorthand and services module import. 2019-11-04 15:04:12 +01:00
wolfbeast c5c44d1207 Merge branch 'master' into certexception-work 2019-11-04 13:31:30 +01:00
Moonchild 21b3f62474 Merge pull request #1262 from athenian200/solaris-work
Support Modern Solaris
2019-11-02 14:37:22 +01:00
wolfbeast 29317adcbc Update NSS version 2019-10-24 16:52:46 +02:00
Kevin Jacobs c525bb7918 Add length checks for cryptographic primitives
This rollup patch adds additional length checks around cryptographic
primitives.
2019-10-24 16:47:28 +02:00
wolfbeast edfba06ce3 Support longer (up to RFC maximum) HKDF outputs
HKDF-Expand enforces a maximum output length much shorter than stated in
the RFC. This patch aligns the implementation with the RFC by allocating
more output space when necessary.
2019-10-24 16:14:41 +02:00
athenian200 fca7c45a62 MoonchildProductions#1251 - Part 16: Resolve namespace conflicts with dbm on Solaris.
https://bugzilla.mozilla.org/show_bug.cgi?id=1513913

Mozilla's solution to this is arguably overkill, since the namespace issue on Solaris only required them to change (or temporarily undefine) __log2. Instead they changed ALL the functions to be something along the lines of dbm_log2. They haven't changed the external interface at all, though.

If you're unhappy with this patch, I think I could also use XP_SOLARIS ifdefs to undefine __log2 prior to where it's declared in the dbm headers. The good thing about Mozilla's solution is that it guarantees this namespace issue never occurs again on any platform, though.
2019-10-21 04:53:42 -05:00
wolfbeast e3c13af976 Properly implement various HSTS states.
Previously, HSTS preload list values could be overridden temporarily due
to counter-intuitive behavior of the API's removeState function.
This adds an explicit flag to the API for writing knockout values to
the Site Security Service, with the default resetting to whatever the
preload list state is.
2019-09-05 18:23:12 +02:00
wolfbeast a63272b530 No issue: Clean up exceptionDialog.js
- Fix some quoting, comments and inconsistencies and code style
- Swap manually grabbing service components out for using `Services.*`
2019-08-17 22:33:51 +02:00
wolfbeast 3252e22000 Issue #1064: Don't get certificate details synchronously.
This avoids getting data synchronously on the main thread in an XHR
(which has been deprecated for a long time and _may_ actually be blocked
in our networking) and attempts to be more predictable by always firing
an update request for the dialog from the XHR request handlers.
2019-08-17 22:28:30 +02:00
wolfbeast 89bd45bf91 Update NSS version. 2019-07-17 01:55:51 +02:00
wolfbeast 5f7e98fff1 Prohibit the use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3
This is a spec compliance issue.
2019-07-17 01:44:56 +02:00
wolfbeast 1e560deff8 Don't unnecessarily strip leading 0's from key material during PKCS11 import. 2019-07-17 01:31:34 +02:00
wolfbeast ef189737a3 Apply better input checking discipline. 2019-07-17 01:15:00 +02:00